Business Continuity Planning


Published on

1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Business Continuity Planning

  1. 1. March 9, 2006 Business Continuity Planning Fred Klapetzky Derek Hanson
  2. 2. Agenda Business Continuity Planning - Overview BCP Definition Why Plan? Interdependency (Crisis Management, Emergency Response, Business Continuity) Business Continuity Planning - Process Business Impact Analysis Strategy Development & Selection Plan Development Training & Testing Deployment & Maintenance Business Continuity Planning - Pandemics Business Continuity Planning - Model School Marsh 2
  3. 3. Business Continuity Planning Overview Marsh 3
  4. 4. Business Continuity versus Disaster Recovery Business Continuity Planning (BCP): The identification and protection of business processes required to maintain an acceptable level of operations in the event of sudden, unexpected, or not so unexpected, interruptions of these processes and their supporting resources. Said another way, to do what is necessary to keep the critical business units running. Disaster Recovery (DR): Is the technical or IT portion of the BCP. Includes; Mainframe, Midrange (VAX, AS/400), Client Server (UNIX, NT, etc.) Disaster Recovery is a component of Business Continuity Marsh 4
  5. 5. Why Plan? “Disasters” happen Fire, Flood, Tornado, Earthquake, Hurricane… Network failure, server power supply failure, water main break… Lost data, corrupted data… What will you do when it does? Even with good plans in place, it may take hours before the extent of the damage has been determined The critical actions in a recovery or continuity process are taken within the first 8 hours in most situations Resources go to those that ask first (in most cases) Marsh 5
  6. 6. What does it take to cover all the bases? Business Continuity and IT recovery is a process, not a template to complete. Business Continuity is a program, not a project. Once you learn the process, you repeat it often to keep plans current, viable and focused on the critical components. The process gathers the data (specifications) to help make decisions in the development of a cost effective and focused program. Trying to write plans without gathering the data is like asking a person to build a house without any blueprints. You may get it done, but it will take longer and you may not like the end results. Marsh 6
  7. 7. How does all this “fit together”? Emergency Business Response Continuity Loss of IT Telecomm failure •Minor injury Supply chain • Fire quickly interruption extinguished •Bomb threat Physical / Information Security •Product Contamination Loss •Accounting Irregularities •Allegation of Impropriety Control Crisis Management Marsh 7
  8. 8. Business Continuity Planning Process Marsh 8
  9. 9. BCP Methodology - Overview Risk Plan Test Assessment & Maintenance BCP Plan Life Cycle Business Develop / Impact Execution Analysis Strategy Selection Marsh 9
  10. 10. Business Impact Analysis Provide independent view of risks Provide basis for determining cost effective strategies Determine critical and necessary business functions/processes and the resource dependencies Identify critical computer applications Estimate the financial and operational impact of the disruption and the required recovery time frame for the critical business functions Build business case for strategy selection Prepare solid foundation for plan development Marsh 10
  11. 11. Katrina Business Impacts Estimated recovery costs for individual universities and colleges in the hundreds of millions ($$) Estimated recovery costs for higher education in the impacted area in the billions ($$) Moody’s downgrades bond ratings Lost research Employee layoffs Elimination of academic disciplines Suspension of athletic programs Marsh 11
  12. 12. 12 Time of Disaster M M H N H Costs On-going M L L L L Strategy Development and Selection One-time N N N H N Strategies Could be 1 Week – 1 Month X X X X Timeframes 48 Hrs – 1 Week X X X X X Used < 48 Hrs X X X X Prior to Disaster X X X Inability to Maintain X Centralized command and Disadvantages control High Pre-disaster Costs X Requires Employees to X X Travel Away from Home Located in Close Proximity X X X to Current Facility Advantages Adequate Workspace X X X Available Network and Voice X X Connections Relocate to a Local Hotel Recovery Strategy Relocate to an Internal Mobile Recovery Work Remotely Hot-site Facility Marsh # 1 2 3 4 5
  13. 13. Plan Development Plan Contents: Introduction Recovery Organization Recovery Time Objectives Recovery Strategies Plan Activation Recovery Plans Plan Testing Plan Maintenance Attachments Marsh 13
  14. 14. Training & Testing Training: All employees Members of ERT, CMT, BCP Management Drills: Practice specific skills Use systems & equipment Exercises: Familiarization Validation Identify deficiencies Types: Walkthrough Mobilization Execution Marsh 14
  15. 15. Deployment & Maintenance Plan management Centralized monitoring Maintain control of standards Access all plans and components Decentralized creation and maintenance Update Tasks Resources Personnel Marsh 15
  16. 16. Business Continuity Planning Pandemics Marsh 16
  17. 17. Pandemics This is not a normal business continuity problem Basic assumptions are changed in a pandemic situation You must use a broader approach The planning for a pandemic can be used in other multi-location outages We’ll spend a few slides on background information Marsh 17
  18. 18. Avian Flu Preparedness – A Quick History In the past century, the US has been hit by 3 large scale influenza pandemics In all cases, viruses contributed by birds 1918 – killed over half a million Americans and more than 20 million around the world 1957 and 1968 – killed tens of thousands of Americans and millions around the world SARS (Severe Acute Respiratory Syndrome) Infected more than 8,000 people and killed nearly 800 Cost the Asian Pacific region roughly $40 billion Travel to Asia dropped 45% in the year following the outbreak Marsh 18
  19. 19. Avian Flu Preparedness – Current Facts The Current Issue Focus on H5N1 strain of the Avian Influenza A virus Diagnosed in Asia and Europe Bird to Human infection is rare however some deaths in Asia and Turkey USA does not import poultry from countries with verified as having Avian Influenza infected birds How the government is preparing for an avian flu outbreak Educating the populace about all aspects of this infection and following the latest developments on-line at and Ensuring access to laboratory testing for the virus, if suspected Coordinating response strategies with local & state public health officials Querying travelers with flu-like symptoms about possible exposure to poultry Implementing aggressive infection control measures Marsh 19
  20. 20. What is the risk? Virus mutates to a form that allows rapid human to human transmission Without immunity or vaccines in combination with air travel, the disease spreads quickly around the world Will it happen? Is a global pandemic likely in the next 5-10 years? If we spend time and effort on planning for avian flu and it doesn’t occur, is it all wasted effort? Marsh 20
  21. 21. If it occurs, what is the most likely scenario? Disease develops in geographic pockets (e.g. China) Government may/may not be open and responsive Quarantines and travel restrictions are not effective in containing infected people Disease spread by global travel Individual countries attempt to control by limiting travel Supply chains become disrupted Business and economies slow down globally Marsh 21
  22. 22. What are the effects on employees? Fear due to limited information initially Concerned about family and friends Potential initial over reaction (worried well) Normally healthy individuals disproportionate impact High (30%) absenteeism Health care system quickly overtaxed EMS can only treat/transport a fraction of patients Limited antiviral supplies – hording and disagreement over distribution Possibly months to develop and produce vaccines Marsh 22
  23. 23. What process should a college or university follow to improve preparedness Develop a better understanding of the most likely development scenarios (CDC, WHO, DHS, Public Health..) Understand how employees and the institution would be affected (focused risk assessment) Develop/update plans to minimize the impact on the institution Develop/update plans to minimize the impact on staff and their families Identify the internal resources required and increase as necessary Make a realistic assessment of the community and other external resources likely to be available Identify and train a senior management team to oversee crisis management Develop policies and educational programs for all staff Marsh 23
  24. 24. Business Continuity Planning Model School Marsh 24
  25. 25. Overview Process Understand current business continuity programs Complete business continuity pilot projects Leverage lessons learned Advantages Identify similarities and differences between institutions without direct comparison (instead comparing institutions to “model school”) Identify ability to leverage current business continuity practices between and among member institutions Gain efficiencies through the development of common terminology, tools and processes Marsh 25
  26. 26. Understand Current Programs Understand maturity of business continuity program at each member institution and current business continuity initiatives Understand processes performed at each member institution Student Life Cycle Admission Registration Support Services HR – Benefits Finance - Payroll Research Projects Project Accounting Development Athletics Athletic Recruiting Facilities PeopleSoft Telecommunications Miscellaneous Medical Center Public Safety Application Proposals Outreach – Radio/TV IT Systems Process: Institution: Institution 1 Institution 2 Institution 3 For illustrative purposes only. Does not include all processes. Marsh 26
  27. 27. Complete Pilot Project Develop common approach Develop common business continuity terminology Complete business continuity life cycle with pilot institution(s): Workbook approach Traditional approach Develop tools, processes and knowledge that may be used at other institutions Marsh 27
  28. 28. Leverage Lessons Learned Apply pilot project lessons learned, tools and processes to other member institutions Bring all member institution business continuity programs to at least a minimum standard level Develop process for maintaining business continuity plans and increasing program maturity levels Establish forum for on-going sharing of business continuity knowledge between member institutions Marsh 28
  29. 29. Marsh Contacts Fred Klapetzky 618.581.1047 Timothy Bishop 414.290.4740 Derek Hanson 920.831.2657 Marsh 29